You need to talk to your QSA, our QSA is great because we can ask him questions 
anytime and he doesn't charge for each question we ask.  He helps us make 
decisions about our products that eases the recertification process.  We only 
pay every 3 years for our PCI PA-DSS certification.  It is well worth the 
investment!  We know we are offering solid PCI PA-DSS solutions to our 

As I understand it, you are responsible to keep your backups very secure, and 
dispose of the backups in a secure manner (bulk eraser for tape backups?).  For 
disk backups, you should encrypt the backup and securely delete when you no 
longer have a need.  You should have an auditable means of tracking access to 
your backups, especially if it is easy to take the backup off-site.  I don't 
believe you are required to restore the backup, encrypt the data, then cut a 
new backup.

One word of caution, make sure you have the encryption key secured for the 

When it comes to credit cards, it is best to always error on the side of 
caution.  The consequences if you lose data is huge for you and your customers.

Good luck, PCI is real "fun"!

RATEX Business Solutions

-----Original Message-----
[] On Behalf Of Wjhonson
Sent: Wednesday, April 18, 2012 5:27 PM
Subject: [U2] Credit Card numbers in your database

Probably every company has gone through adding more stringent rules to the use 
of credit cards in your database.
But surely no one has actually gone back to their old backups to "cleanse" them 
Does anyone think that's really part of the PCI DSS we're supposed to be 
We have backups going back umpteen years 
U2-Users mailing list
U2-Users mailing list

Reply via email to